Bug 1902687 (CVE-2020-8285)
Summary: | CVE-2020-8285 curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | amctagga, andrew.slice, anharris, blpowers, bniver, bodavis, cmoore, csutherl, dbhole, erik-fedora, flucifre, gmeno, gzaronik, hhorak, hvyas, jclere, jorton, jwon, kanderso, kaycoth, kdudka, krathod, kwalsh, luhliari, mbabacek, mbenjamin, mhackett, mike, mjg, msekleta, mturk, omajid, paul, pjindal, rakesh.pandit, rwagner, security-response-team, sostapov, svashisht, vereddy, walter.pete |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://issues.redhat.com/browse/JBCS-1045 | ||
Whiteboard: | |||
Fixed In Version: | curl 7.74.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
Libcurl offers a wildcard matching functionality, which allows a callback (set with `CURLOPT_CHUNK_BGN_FUNCTION`) to return information back to libcurl on how to handle a specific entry in a directory when libcurl iterates over a list of all available entries. When this callback returns `CURL_CHUNK_BGN_FUNC_SKIP`, to tell libcurl to not deal with that file, the internal function in libcurl then calls itself recursively to handle the next directory entry. If there's a sufficient amount of file entries and if the callback returns "skip" enough number of times, libcurl runs out of stack space. The exact amount will of course vary with platforms, compilers and other environmental factors.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-05-18 20:37:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1905124, 1905126, 1902889, 1902890, 1905123, 1906110, 1906112, 1906114, 1906116 | ||
Bug Blocks: | 1902669 |
Description
Marian Rehak
2020-11-30 12:21:34 UTC
Flaw summary: A malicious server whose filesystem is configured in a crafted way, could crash an application using libcurl as a dependency, by causing a stack overflow via uncontrolled recursion. This could result in a temporary denial of service. Note that the curl program itself is not affected, as it does not use the affected functionality of libcurl. Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. Created curl tracking bugs for this issue: Affects: fedora-all [bug 1906110] Created flickcurl tracking bugs for this issue: Affects: epel-7 [bug 1906116] Affects: fedora-all [bug 1906114] Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 1906112] Acknowledgments: Name: Varnavas Papaioannou External References: https://github.com/curl/curl/issues/6255 https://curl.se/docs/CVE-2020-8285.html Upstream commit: https://github.com/curl/curl/commit/69a358f2186e04 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1610 https://access.redhat.com/errata/RHSA-2021:1610 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8285 This issue has been addressed in the following products: JBoss Core Services Apache HTTP Server 2.4.37 SP8 Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472 |